YesPress Dossier · Company · 2026
RAPIDFORT
The Sunnyvale company that decided patching CVEs was a Sisyphean job - and that the better answer was to delete them before they shipped.
The Sunnyvale company that decided patching CVEs was a Sisyphean job - and that the better answer was to delete them before they shipped.
Walk past 440 North Wolfe Road and you would not guess it. Another low office, another suburban tech park, another company logo. Inside, a team of about 110 engineers, security veterans, and federal-facing salespeople is doing something that sounds almost rude in modern software: they are deleting code from other people's containers.
Not patching. Not flagging. Deleting. RapidFort scans the layers of a container image, watches what actually runs in production, and strips out the binaries, libraries, and shell tools that never get touched. The vulnerability count drops. The attack surface shrinks. The ticket queue gets shorter. The engineering team gets its weekends back.
In February 2026 the company closed a $42 million Series A led by Blue Cloud Ventures and Forgepoint Capital - bringing total funding to roughly $60 million. The check landed in a market that was, until very recently, dominated by scanners. RapidFort is not a scanner.
Numbers from RapidFort, mid-2026. Skeptics encouraged.
Every Dockerfile begins as a polite optimization and ends as a junk drawer. A base image arrives with hundreds of packages. A developer adds a runtime. Someone bolts on a debugging tool that helped once, in 2022, on a Tuesday. By the time it reaches production, the image is mostly dependencies of dependencies of dependencies - a software bill of materials that reads like a Russian novel.
Security teams inherit this. They scan it. They generate reports. The reports become spreadsheets. The spreadsheets get triaged into POA&Ms - plans of action and milestones - that nobody really wants to action. The phrase "accepted risk" becomes a sort of corporate mantra. Meanwhile, the FedRAMP auditor is sending follow-up emails.
The container security industry's answer, for years, was to scan harder. Better scanners. Smarter prioritization. Reachability analysis. RapidFort's founders looked at the same problem and asked an unfashionable question: what if the goal was not to manage the vulnerabilities, but to make them not exist?
RapidFort was founded in 2020 by Mehran Farimani, Russ Andersson, Rajeev Thakur and George Manuelian - a group with résumés that read like a Bay Area greatest-hits compilation. Palo Alto Networks. F5. AWS. Cisco. EFI. Farimani had previously built Percipo, a computer vision company that ended up running inside roughly 40,000 retail stores. Andersson had a track record of small exits with strong fundamentals (HintMD, ZyBooks). Thakur and Manuelian had each spent careers near the place where DevOps meets cybersecurity, and had each, in their own way, gotten tired of watching customers buy more tools to ignore the same alerts.
Built EFI's core business; founded computer-vision pioneer Percipo.
Early operator at HintMD (sold to Revance) and ZyBooks (acquired by Wiley).
DevOps and security veteran from Palo Alto Networks and F5.
Twenty-plus years across Palo Alto Networks, AWS and Cisco.
Their bet, then and now: the most reliable security improvement is subtractive. You cannot exploit a binary that is not in the image. You cannot fail a STIG check on a package you removed. You cannot get paged about a runtime library that no longer exists. This is not particularly subtle. It also turns out to be quite hard to do well - which is why an entire company is doing it.
Dates approximate. Punctuation editorial.
RapidFort's platform has the unromantic structure of a Swiss Army knife. RF Analyzer scans images across CI/CD, registries, and Kubernetes - the prerequisite step that earns you the right to talk to a security team. RF Profiler then watches what actually executes in production for a few days, building a real picture of which binaries earn their keep. RF Optimizer takes that profile and produces a hardened image with the dead weight gone - somewhere between 60 and 90 percent of the original attack surface, depending on how baroque the base image was.
The Curated Images catalog is the part most developers meet first. Over 35,000 hardened images built on Ubuntu, RHEL, Debian, Alpine and others - the same upstream distributions you already use, just with the vulnerable layers stripped away. They are free to pull. They are pinned to specific compliance frameworks. They are, in many cases, drop-in replacements that quietly cause your nightly CVE report to deflate.
Vulnerability scanning across pipelines, registries, and clusters. Table stakes, done correctly.
Runtime observation. Learns what executes - and, more usefully, what does not.
Automated attack-surface reduction. The subtractive part of the pitch.
35,000+ hardened, near-zero-CVE images. The free front door to the platform.
Compliance validation for FedRAMP, STIG, CIS, SOC 2, CMMC. Auditor-friendly by design.
Real and reachable bills of materials, not just whatever the registry happened to declare.
Reported reductions on common base images after RF Optimizer.
Source: RapidFort published benchmarks. Your mileage will vary - that is the point of profiling.
Defense Unicorns - a name that suggests a Pixar pitch but is in fact a serious defense-software outfit - picked RapidFort to accelerate secure delivery for U.S. defense missions. The Modern Data Company chose RapidFort's curated images to harden customer data infrastructure. Carahsoft, the standard public-sector distributor, carries RapidFort for federal buyers, which is the kind of unglamorous distribution deal that quietly determines whether a security company gets to play in regulated industries at all.
The $42M Series A added Felicis (back for more), Alumni Ventures, Boulder Ventures, Brave Capital, Evolution, Florida Funders, Gaingels, and Mana to a cap table that already included Forgepoint. The story the round tells is not "AI changes everything." It is the older, less fashionable story of a category that has finally caught up with the founders' original framing.
Ask RapidFort's leadership what success looks like and they will tell you, in mild Bay Area understatement, that they would like to make container hardening a thing nobody talks about. Like TLS, or seatbelts. A boring default. A line item that does not require a quarterly business review.
It is a stranger mission than it sounds. The security industry has commercial incentives to keep things interesting - dashboards that demand attention, severity scores that change weekly, conferences that need keynotes. A company that wants its product to recede into infrastructure is, in some sense, betting against its own genre.
The volume of software being assembled - and the speed at which it is being assembled - is on a curve that does not appear to be flattening. Code generation tools and autonomous agents are producing Dockerfiles, dependency manifests, and CI configs at a clip no security team can hand-review. The CRA in Europe is putting legal weight behind software supply chain hygiene. FedRAMP is tightening. Boards are starting to ask uncomfortable questions about SBOMs.
In that world, the only durable answer is automation that runs upstream of the problem. Removing vulnerabilities before they ship beats remediating them after. Curated bases beat custom hand-builds. Subtraction beats triage. RapidFort has been making that argument since 2020, when it was a minority opinion. In 2026, the rest of the industry seems to be coming around.
Back at 440 North Wolfe Road, the lights are still on. The company is doing the thing it has always done - quietly removing software from other people's software, so other people's software stops keeping them awake at night. The fort, as it turns out, is mostly negative space. That is the joke. That is also the product.
Official channels, press, demos and the things developers actually pull.